take-grant protection model
TRANSCRIPT
05/03/2023 1
Theft and Conspiracy in the Take-Grant ProtectionModel
Lawrence SnyderDepartment of Computer Sciences
Purdue UniversityWest Lafayette. IN 47907
Presented by: Raj Kumar RanabhatM.E in Computer Engineering(I/I)
Kathmandu University
05/03/2023 2
Take-Grant Protection Model
• A specific (not generic) system
• Set of rules for state transitions
• Safety decidable, and in time linear with the size of the system
• Goal: find conditions under which rights can be transferred from one
entity to another in the system
05/03/2023 3
System
objects (passive entities like files, . . . )osubjects (active entities like users, processes . . . )•don’t care (either a subject or an object)⊗
set of rights
apply a sequence of rewriting rules (witness) to G to get G’
R = {t , g , . . .} apply rewriting rule x (witness) to G to get G′G ⊢x G′
G ⊢* G′
05/03/2023 4
Take-Grant Protection ModelLet x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "t" ϵ ϒ, an edge from y to z labeled β and α β⊆ . Then the take rule defines a new graph G' by adding an edge to the protection graph from x to z labeled α. Graphically,
Take:
The rule can be read: "x takes (α to z) from y."
05/03/2023 5
Let x,y and z be distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled ϒ such that "g"ϵ ϒ, an edge from x to z labeled β, and α β⊆ . The grant rule defines a new graph G' by adding an edge from y to z labeled α. Graphically,
Grant:
The rule can be read: "x grants (α to z) to y."
05/03/2023 6
Let x be any subject vertex in a protection graph G and let α be a non empty subset of R. Create defines a new graph G‘ by adding a new vertex n to the graph and an edge from x to n labeled α. Graphically,
Create:
The rule can be read: "x creates (α to) new {subject/object}n."
05/03/2023 7
Let x and y be any distinct vertices in a protection graph G such that x is a subject. Let there be an edge from x to y labeled β, and let a be any subset of rights. Then remove defines a new graph G' by deleting the α labels from β. If β becomes empty as a result, the edge itself is deleted. Graphically
Remove:
The rule can be read: "x removes (α to) y."
05/03/2023 8
Take-Grant Definable Graphs
05/03/2023 9
Take-Grant Definable Graphs
x creates (tg to) new v
05/03/2023 10
Take-Grant Definable Graphs
x creates (tg to) new vx grants (g to v) to y
05/03/2023 11
Take-Grant Definable Graphs
x creates (tg to) new vx grants (g to v) to yy grants (β to z) to v
05/03/2023 12
Take-Grant Definable Graphs
x creates (tg to) new vx grants (g to v) to yy grants (β to z) to vx takes (β to z) from v
05/03/2023 13
Let be a protection graph containing exactly one subject vertex and no edges. Then * if and only if ⊢
Theorem:
• is a finite, directed, loop-free, two color graph
• the edges are labeled from non empty subsets of R
• At least one subject in has no incoming edges.
05/03/2023 14
Let v be the initial subject, and *.⊢⇐:
• is obviously finite• is a directed graph• is loop-free• two colored with the indicated labelling
• After reviewing the rule definition, it gives:
• Limits of rules:• since vertices cannot be destroyed, v persists in any
graph derived from • edges cannot be directed to a vertex that has no in-
coming edges so none can be assigned to v
05/03/2023 15
let G satisfy the requirements and be the final graph in the theorem⇐:• Let G have vertices x1,x2 . . . , xn
• Identify v with some subject x1 with no incoming edges
Construct G as follows:′• Perform “v creates (α {g } to) new subject x∪ i” • For all (xi, xj) where xi has a right over xj, do“x1 grants (α
to xj) to xi”• Let β be the rights xi has over xj in G ; then do“v removes
((α {g }) − β) to x∪ i)”
Now G is the desired G′
05/03/2023 16
Predicates and earlier results• tg-path: Vertices p and q of G are tg-connected if there is a path
p=xo,….xn=q and the label alpha on the edge between xi and xi+1
contains t or g• island : An island of G is a maximal, tg-connected subject-only
subgraph of G.• A path xo,x1,…xn is an initial span if it has an associated word in {}• it is a terminal span if n>0 and it has associated word in • it is a bridge if
1. n>1 and xo and xn are subjects2. an associated word is in 3. the xi are objects (0<i<n)
05/03/2023 17
• islands: {p, u}, {w}, {y, s }′• bridges: u, v, w; w, x, y• initial span: p (associated word ν )• terminal span: s s (associated word )′
05/03/2023 18
can·share (α, p, q, ) holds if, and only if, there is a sequence of
protection graphs , . . ., such that * and in there is an edge ⊢from p to q labeled α
can·share Predicate :
05/03/2023 19
Theft
for two distinct vertices p and q in a protection graph , and right α, define
can·steal Predicate :
can·steal (α, p, q, ) <=> ~ and there exist protectiongraph ,…, such that
,, and If then no has the form “s grants (α to q) to ” for any ϵ
05/03/2023 20
Example of Stealing
can·steal (α, s, w, )
05/03/2023 21
Example of Stealing
can·steal (α, s, w, )
• u grants (t to v) to s
05/03/2023 22
Example of Stealing
can·steal (α, s, w, )
• u grants (t to v) to s• s takes (t to x) from v
05/03/2023 23
Example of Stealing
• u grants (t to v) to s• s takes (t to x) from v• s takes (t to u) from x
can·steal (α, s, w, )
05/03/2023 24
Example of Stealing
• u grants (t to v) to s• s takes (t to x) from v• s takes (t to u) from x• s takes (α to w) from u
can·steal (α, s, w, )
05/03/2023 25
can·steal (α, p, q, ) holds if, and only if, the following hold simultaneously:
can·steal Theorem :
• there is no edge from x-to-y labeled α in
• there is a subject x = x or x initially spans to x′ ′• there is a vertex s with an edge to y labeled α in
• can·share (α, p, q, ) holds
05/03/2023 26
Assume all four conditions hold⇒:• If x a subject:• x gets t rights to s (last condition); then takes α to y from
s(third condition)• If x an object:• can·share (t, x , s, ) holds′• If x has no α edge to y in x takes (α to y) from s and grants ′ ′
it to x• If x has an edge to y in , x creates surrogate x , gives it (t ′ ′ ′′
to s) and (g to x ); then x takes (α to y) and grants it to x′′ ′′
05/03/2023 27
Assume can·steal (α, x, y, ) holds⇐:• First two conditions are immediate from definition of
can·share, can·steal• Third condition is immediate from theorem of conditions for
can·share• Fourth condition: let ρ be a minimal length sequence of rule
applications deriving from • Let i be the smallest index such that that adds α from
some p to y in • What rule is ?
05/03/2023 28
• Not remove or create rule• y exists already
• Not grant rule• is the first graph in which an edge labeled α to y is added , so
by definition of can·share, it cannot be a grant• Therefore must be a take rule, so can·share (t, p, s, ) holds• By earlier theorem, there is a subject s such that s = s or s ′ ′ ′
terminally spans to s• Also, sequence of islands ,…,with x , s ′∈ ′∈• Now consider what s is ?
05/03/2023 29
• If s object, s s′• If s , p in same island, take p = s ; the can·share (t, x, s, ) holds′ ′• If they are not, the sequence is minimal, contradicting
assumption• So choose s in same island as p′
05/03/2023 30
If s subject, p ∈• If p , there is a subject q such that can·share (t, q, s, ) holds• s and none of the rules add new lables to incoming ∈
edges on existing vertices• As s owns α rights to y in , two cases arise:• If s = q, replace “s grants (α to y) to q” with the
sequence:p takes (α to y) from sp takes (g to q) from sp grants (α to y) to q
• If s = q, you only need the first
05/03/2023 31
Conspiracy
If s subject, p ∈
05/03/2023 32
Conspiracy in general graphsGiven a protection graph G with subject vertices ,…., , we will define a new graph, the conspiracy graph, H, determined by G. H has vertices ,…., and each A(). There is an undirected edge between and provided δ(, ) Ø where δ is called the deletion operation
δ(x,x') =all elements in A(x) n A(x') except those z for which either (a) the only reason for z A(x) is that x initially spans ∈to z and the only reason for z A(x') is that x‘ initially spans ∈to z or (b) the only reason z A(x) is x terminally spans to z ∈and the only reason z A(x') is x‘ terminally spans to z.∈
The graph thus constructed is the conspiracy graph for G.
05/03/2023 33
05/03/2023 34
• Lemma 7.1: Can·share(a,p,q,G) is true if and only if some ∈is connected so some ∈
• Theorem 7.2: To produce a witness to can.share(α,p,q,G) |
s.p.| conspirators are sufficient.
• Theorem 7.3: To produce a witness to can.share(α,p,q,G) |
s.p.| conspirators are necessary.
05/03/2023 35
Concluding Remarks
• how sharing is accomplished in the Take-Grant Model
• there is the question of algorithmic complexity of
determining the minimum number of conspirators required
for a right to be shared
• determine for a given graph what set of conspirators.
must have participated in the sharing of a right after the fact